Fire telegraf user sync on salt/key accept, not salt/auth

salt/auth fires on every minion authentication — including every minion
restart and every master restart — so the reactor was re-running the
postgres.auth + postgres.telegraf_users + telegraf orchestration for
every already-accepted minion on every reconnect. The underlying states
are idempotent, so this was wasted work and log noise, not a correctness
issue.

Switch the subscription to salt/key, which fires only when the master
actually changes a key's state (accept / reject / delete). Match the
pattern used by salt/reactor/check_hypervisor.sls (registered in
salt/salt/cloud/reactor_config_hypervisor.sls) and add the result==True
guard so half-failed key operations don't trigger the orchestration.

salt/reactor/telegraf_user_sync.sls

@@ -3,8 +3,8 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{# Fires on salt/auth. Only act on accepted keys — ignore pending/reject. #}
+{# Fires on salt/key. Only act on successful key acceptance — not reauth. #}
-{% if data.get('act') == 'accept' and data.get('id') %}
+{% if data.get('act') == 'accept' and data.get('result') == True and data.get('id') %}
 
 {{ data['id'] }}_telegraf_pg_sync:
   runner.state.orchestrate:

salt/salt/master.sls

@@ -67,7 +67,7 @@ reactor_config_telegraf:
     - name: /etc/salt/master.d/reactor_telegraf.conf
     - contents: |
         reactor:
-          - 'salt/auth':
+          - 'salt/key':
             - /opt/so/saltstack/default/salt/reactor/telegraf_user_sync.sls
     - user: root
     - group: root